Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

Support transport agnostic token passing in channels #6086

Draft
wants to merge 3 commits into
base: main
Choose a base branch
from
Draft

Support transport agnostic token passing in channels #6086

wants to merge 3 commits into from

Conversation

SteffenDE
Copy link
Contributor

For WebSocket, the Sec-WebSocket-Protocol header is used. For LongPoll, an Authorization header is passed instead.

Fixes #5778.

@SteffenDE
Support transport agnostic token passing in channels
b4aa682 
For WebSocket, the `Sec-WebSocket-Protocol` header is used. For LongPoll,
an `Authorization` header is passed instead.

Fixes #5778.
@SteffenDE
simple test
35dac5e
josevalim
josevalim reviewed Feb 15, 2025
View reviewed changes
lib/phoenix/transports/websocket.ex
conn
|> fetch_query_params()
|> Transport.code_reload(endpoint, opts)
|> Transport.transport_log(opts[:transport_log])
|> Transport.check_origin(handler, endpoint, opts)
|> Transport.check_subprotocols(opts[:subprotocols])
|> maybe_auth_token_from_header(opts[:auth_token])
|> Transport.check_subprotocols(subprotocols)
Copy link
Member

@josevalim josevalim Feb 15, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Honestly, it feels we should just bring this function to this module and have it deal with both auth_token and subprotocols at once, or move auth_token to check subprotocols. Transport is meant to have transport agnostic functions, and that one is clearly websockets related, so it shouldn't exist in the first place.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It is part of the public API, so we can't really change it, can we?
https://hexdocs.pm/phoenix/Phoenix.Socket.Transport.html#check_subprotocols/2

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, we cannot, but maybe we can move the auth token handling there anyway?

josevalim
josevalim approved these changes Feb 15, 2025
View reviewed changes
Copy link
Member

@josevalim josevalim left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM. I have dropped a comment about subprotocol handling but it can be handled in a future PR!

# for free to join this conversation on GitHub. Already have an account? # to comment
Reviewers

@josevalim josevalim josevalim approved these changes

@chrismccord chrismccord Awaiting requested review from chrismccord

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Current approach to passing token in channels is unsafe
2 participants
@SteffenDE @josevalim